Since Kevin Mitnick coined the phrase in 2002, the cybersecurity industry has been awash with the phrase 'the human factor is the weakest link’. From vendors to researchers, engineers, hackers, and journalists, we are all fond of blaming the ‘dumb users’. In this talk I argue that when we say that the ‘human being is the weakest link in cybersecurity’, not only are we telling a lie, we are inevitably setting ourselves up for a fall.

1. IN DEFENCE OF THE
HUMAN FACTOR
Dr Ciarán Mc Mahon
Tivi Digital & Cyber Security,
Scandic Park, Helsinki,
24.11.2016

2. Introduction
• Today’s talk
• The so-called ‘weakest’ so-called ‘link’
• The ETTO principle
• Everything is broken
• Victim-blaming
• Building a positive cyber security culture

3. About me
Dr Ciarán Mc Mahon is a director of the Institute of Cyber
Security and an award-winning academic psychologist from
Ireland. A former Government of Ireland Scholar, he has
published research on the history of psychological language,
the psychology of social media, digital wellness and the social
impact of cybercrime. Ciarán has worked at a number of third
level institutions, and is currently an occasional lecturer at
University College Dublin. Ciarán also has extensive media
experience and regularly contributes on topics relating to the
human aspects of information technology to national and
international outlets including Sky News, BBC Radio London,
USA Today, Fortune Magazine, and The Guardian.

4. The Institute of Cyber Security aims to help
companies and organisations develop the most
resilient cyber security culture possible.

5. It all started with Bruce Schneier (2000)

6. It all started with Bruce Schneier (2000)

7. and continued with Kevin Mitnick (2002)

8. and continued with Kevin Mitnick (2002)

10. AS A HUMAN BEING,
I RESENT THIS!

11. What about the other links
in the security chain?
Are they really stronger, and more secure?

12. ‘Everything is broken’
Quinn Norton
It’s hard to explain to regular people
how much technology barely works,
how much the infrastructure of our lives
is held together by the IT equivalent of
baling wire.
Computers, and computing, are broken.

13. Update of the art
Recent patches
o 16 updates of iOS in the last year
o 3 Flash updates in a single month
o How quickly did Windows 8 become
Windows 8.1?

14. Update of the art
Recent patches
o Only 7.5% of all Android devices are
running its most secure operating system
o This is currently being investigated by
the US Federal Trade Commission

15. ‘Another flaw in the human character is that
everybody wants to build and nobody wants to do
maintenance’

16. So why are we blaming people for security
problems, when the technology is falling apart?

17. Acceptable accident causes (Hollnagel & Amalberti,
2001)
Accidents are always found to have
been
o associated with a system structure
o which can be reduced within accepted
limits of cost and time
o conforms to current “norms” for
explanations

18. Human error is a meaningless concept
Every day the average office worker clicks on hundreds of hyperlinks as
part of their job. But one day, they click on the wrong one, and suddenly
they’re the cause of malware infection.
Hollnagel’s (2006) ETTO principle – ‘efficiency-thoroughness trade-off’
Sometimes things go wrong, sometimes things go right.

19. The flipside
o We say that ‘the human factor is the weakest link in
cybersecurity’ because it’s a lot easier than tackling the real
problem
o the fact that IT is falling apart
o But that’s not the only reason we shouldn’t say ‘the human
factor is the weakest link in cybersecurity’

20. IBM 2015 Cyber Security Intelligence Index

21. But how can you expect your employees to
listen to you when you are assume that they
are stupid or untrustworthy?

22. But how can you expect your employees to
listen to you when you are assume that they
are stupid or untrustworthy?
WE NEED TO CHANGE HOW WE TALK ABOUT
HUMAN FACTORS IN CYBERSECURITY

23. Victim blaming (Cross, 2015)
Discourse on online fraud is based on
idea of greedy/gullible victims
o does not take into account level of
deception and sophisticated targeting
o humour isolates victims and impacts
their ability to warn others

24. Understanding abusive insiders
Posey, Bennett, & Roberts (2011) :
o employees who do not feel that their
organisations trust them will engage in
more computer abuse when security
measures are brought in

25. Organisational justice and fairness
Bulgurcu, Cavusoglu, & Benbasat
(2009):
o creating a fair environment and
ensuring procedural justice in regards
to implementing security rules and
regulations is the key to effective
information security management.

26. Are CISOs their own worst enemy?
(Ashenden & Sasse, 2013)
CISOs struggle to gain credibility due
to:
o confusion about their role identity
o inability to engage effectively with
employees

27. If we want our colleagues, co-workers and corporate level
executives to engage with cybersecurity policy, we have to
stop seeing them as the weakest link. We have to start
engaging with them, trusting them, and educating them.
It’s that simple.

28. Thank you.
Email info@instituteofcybersecurity.com
Phone(IRE) +353 1 5137093
Phone(UK) +44 203 8085226
Address Unit 1, 77 Sir John Rogerson’s Quay,
Dublin 2, Ireland
For full report, contact ciaran@instituteofcybersecurity.com

29. Studies cited
Ashenden, D., & Sasse, A. (2013). CISOs and organisational culture: Their own worst enemy? Computers and Security, 39, 396–405.
http://doi.org/10.1016/j.cose.2013.09.004
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security
policy compliance. 15th Americas Conference on Information Systems 2009, AMCIS 2009, 5, 3269–3277.
Cross, C. (2015). No laughing matter: Blaming the victim of online fraud. International Review of Victimology, 21(2), 187–204.
http://doi.org/10.1177/0269758015571471
Hollnagel, E. (2009). The ETTO Principle: Why things that go right sometimes go wrong. Farnham, UK: Ashgate.
Hollnagel, E., & Amalberti, R. (2001). The emperor’s new clothes: Or whatever happened to “human error”? 4th International Workshop on
Human Error, Safety and Systems Development, (April), 1–18.
Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. Indianapolis, IN: John Wiley & Sons
Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the abusive insider: An examination of insiders’ causal
reasoning following internal security changes. Computers and Security, 30(6-7), 486–497. http://doi.org/10.1016/j.cose.2011.05.002

30. Other sources
Goodin, D. (2016, May 10). Feds probe mobile phone industry over the sad state of security updates. Ars Technica
http://arstechnica.com/security/2016/05/feds-probe-mobile-industrys-security-update-practices/
IBM (2015). IBM 2015 Cyber Security Intelligence Index. http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03073USEN&attachment=SEW03073USEN.PDF
Lonergan, K. (2015, June 30). The human factor: top tips to strengthen the weakest link in the information security chain. http://www.information-
age.com/technology/security/123459735/human-factor-top-tips-strengthen-weakest-link-information-security-chain
Meetup.com (2016, April 7). Human Factors in (Cyber) Security: Exploiting the Weakest Link? http://www.meetup.com/French-IT-Group-
Australia-Asia/events/230137510/
Norton, Q. (2014, May 20). 'Everything is broken'. The Message (Medium). https://medium.com/message/everything-is-broken-
81e5f33a24e1#.sc7pf19g3
SANS Institute (2001). The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem.
https://www.sans.org/reading-room/whitepapers/vpns/weakest-link-human-factor-lessons-learned-german-wwii-enigma-cryptosystem-
738
Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: John Wiley & Sons.
Singer, P.W. & Friedman, A. (2014). Cybersecurity: What Everyone Needs to Know. Oxford: OUP.
https://books.google.ie/books?id=9VDSAQAAQBAJ&dq
Vishwanath, A. (2016, May 5). Cybersecurity’s weakest link: humans. The Conversation. https://theconversation.com/cybersecuritys-weakest-
link-humans-57455
Wright, A. (2016, April 13). Humans in cyber security – the weakest link. https://www.itgovernance.co.uk/blog/humans-in-cyber-security-the-
weakest-link/